TOP VCF technology

VMware Cloud Foundation

Certificates NSX-T

Replace nsx-t localmanager certificate with a self-signed

By Kader #nsx local manager, #nsx localmanager, #nsx-t local manager, #nsxt local manager, #nsxt localmanager

If your localmanager certificate is going to expire soon in nsx-t manager you can use the following guide to replace it. The LocalManager certificate is Principal Identity certificate used to communicate with other sites in Federation.

Do a nsx-t backup beforehand.

Login to nsx-t manager

Click system > click certificates > click the certificates tab

You will notice your localmanager certificate and it is in use

Click the CSRs tab> click generate csr > click generate csr

Put the CN as local-manager

Put the Name as LocalManager

The rest is your own business and location details

Click save

Click your new csr tick box > click generate csr > click self sign certificate for csr

Untick service certificate and click save

Click back to certificates tab

You will notice your new certificate and your details you put in earlier

Copy the id you will need it

Open postman

Copy the below url to postman using your nsx-t manager server details

Change the API to POST

POST https://<nsx-mgr>/api/v1/trust-management/certificates?action=set_pi_certificate_for_federation

Click the authorization tab

Change to basic auth and put in your login details of nsx-t manager

Click the headers tab > Change KEY to Content-Type > Change VALUE application/json

Click the body tab > Change to raw > change to JSON > copy the below to the body > Change the id to your new certificate id.

Click Send

{ “cert_id”: “<id>”,

“service_type”: “LOCAL_MANAGER” }

Go back to nsx-t manager and do a refresh and you will notice the where used has change to your new certificate

If you are on earlier versions of nsx-t “where used” is not there in the nsx-t manager UI, use the below api to get the used by

If it is not used the used by is blank like below

look for “used_by”: []

Get all certificates if used or not

GET https://172.168.1.236/api/v1/trust-management/certificates

or just the one certificate put the certificate id at the end

GET https://172.168.1.236/api/v1/trust-management/certificates/dee8d78b-5e04-4deb-8d36-6b86f79f058b

Below is an example

Delete the old certificate once confirmed it is not used anymore from nsx-t manager

Official VMware doco to replace the certificate via nsx-t

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-50C36862-A29D-48FA-8CE7-697E64E10E37.html

By Kader

Related Post

NSX-T

Stuck on configuration complete 100% in NSX-T Manager for a transport node

Kader
NSX-T

Packet capture from NSX-T edge

Kader
NSX-T VCF

Resize NSX-T edges in a VCF SDDC environment (Tested on VCF 4.5.1, 5.2, 5.1)

Kader

You Missed

VCF

VCF 5.2 what my stretched cluster looks like

NSX-T

Stuck on configuration complete 100% in NSX-T Manager for a transport node

NSX-T

Packet capture from NSX-T edge

VCF

vCenter error in SDDC Manager when doing prechecks